Commit Graph

934 Commits

Author SHA1 Message Date
Archie Cobbs
642e43b39b Add address translation support for RTSP/RTP used by RealPlayer and
Quicktime streaming media applications.

Add a BUGS section to the man page.

Submitted by:	Erik Salander <erik@whistle.com>
2000-07-26 23:15:46 +00:00
Jayanth Vijayaraghavan
e7f3269307 When a connection is being dropped due to a listen queue overflow,
delete the cloned route that is associated with the connection.
This does not exhaust the routing table memory when the system
is under a SYN flood attack. The route entry is not deleted if there
is any prior information cached in it.

Reviewed by: Peter Wemm,asmodai
2000-07-21 23:26:37 +00:00
Darren Reed
72130853fb fix conflicts 2000-07-19 14:02:09 +00:00
Sheldon Hearn
571214d4fe Fix a comment which was broken in rev 1.36.
PR:		19947
Submitted by:	Tetsuya Isaki <isaki@net.ipc.hiroshima-u.ac.jp>
2000-07-18 16:43:29 +00:00
Luigi Rizzo
e07e817462 close PR 19544 - ipfw pipe delete causes panic when no pipes defined
PR: 19544
2000-07-17 20:03:27 +00:00
David Malone
cc72822764 Extra sanity check when arp proxyall is enabled. Don't send an arp
reply if the requesting machine isn't on the interface we believe
it should be. Prevents arp wars when you plug cables in the wrong
way around.

PR:		9848
Submitted by:	Ian Dowse <iedowse@maths.tcd.ie>
Not objected to by:	wollman
2000-07-13 19:31:01 +00:00
Jayanth Vijayaraghavan
7d20010979 re-enable the tcp newreno code. 2000-07-12 22:00:46 +00:00
Jun-ichiro itojun Hagino
f38211642f remove m_pulldown statistics, which is highly experimental and does not
belong to *bsd-merged tree
2000-07-12 16:39:13 +00:00
Jun-ichiro itojun Hagino
b474779f46 be more cautious about tcp option length field. drop bogus ones earlier.
not sure if there is a real threat or not, but it seems that there's
possibility for overrun/underrun (like non-NOP option with optlen > cnt).
2000-07-09 13:01:59 +00:00
Jun-ichiro itojun Hagino
686cdd19b1 sync with kame tree as of july00. tons of bug fixes/improvements.
API changes:
- additional IPv6 ioctls
- IPsec PF_KEY API was changed, it is mandatory to upgrade setkey(8).
  (also syntax change)
2000-07-04 16:35:15 +00:00
Poul-Henning Kamp
77978ab8bc Previous commit changing SYSCTL_HANDLER_ARGS violated KNF.
Pointed out by:	bde
2000-07-04 11:25:35 +00:00
Poul-Henning Kamp
82d9ae4e32 Style police catches up with rev 1.26 of src/sys/sys/sysctl.h:
Sanitize SYSCTL_HANDLER_ARGS so that simplistic tools can grog our
sources:

        -sysctl_vm_zone SYSCTL_HANDLER_ARGS
        +sysctl_vm_zone (SYSCTL_HANDLER_ARGS)
2000-07-03 09:35:31 +00:00
Ruslan Ermilov
36e6576b44 Fixed PunchFWHole():
- ipfw always rejected rule with `neither in nor out' diagnostics.
- number of src/dst ports was not set properly.
2000-06-27 14:56:07 +00:00
Ruslan Ermilov
d15583713a - Removed PacketAliasPptp() API function.
- SHLIB_MAJOR++.
2000-06-20 13:07:52 +00:00
Ruslan Ermilov
55a39fc5a2 Added true support for PPTP aliasing. Some nice features include:
- Multiple PPTP clients behind NAT to the same or different servers.

- Single PPTP server behind NAT -- you just need to redirect TCP
  port 1723 to a local machine.  Multiple servers behind NAT is
  possible but would require a simple API change.

- No API changes!

For more information on how this works see comments at the start of
the alias_pptp.c.

PacketAliasPptp() is no longer necessary and will be removed soon.

Submitted by:	Erik Salander <erik@whistle.com>
Reviewed by:	ru
Rewritten by:	ru
Reviewed by:	Erik Salander <erik@whistle.com>
2000-06-20 11:41:48 +00:00
Alfred Perlstein
a79b71281c return of the accept filter part II
accept filters are now loadable as well as able to be compiled into
the kernel.

two accept filters are provided, one that returns sockets when data
arrives the other when an http request is completed (doesn't work
with 0.9 requests)

Reviewed by: jmg
2000-06-20 01:09:23 +00:00
Ruslan Ermilov
b766604065 - Improved passive mode FTP support by aliasing 229 replies.
- Stricter checking of PORT/EPRT/227/229 messages format.
- Moved all security checks into one place.
2000-06-16 20:36:16 +00:00
Ruslan Ermilov
7652512976 - Added support for passive mode FTP by aliasing 227 replies.
It does mean that it is now possible to run passive-mode FTP
  server behind NAT.

- SECURITY: FTP aliasing engine now ensures that:
  o the segment preceding a PORT/227 segment terminates with a \r\n;
  o the IP address in the PORT/227 matches the source IP address of
    the packet;
  o the port number in the PORT command or 277 reply is greater than
    or equal to 1024.

Submitted by:	Erik Salander <erik@whistle.com>
Reviewed by:	ru
2000-06-14 16:09:35 +00:00
Luigi Rizzo
8a0b95d610 Fix behaviour of "ipfw pipe show" -- previous code gave
ambiguous data to the userland program (kernel operation was
safe, anyways).
2000-06-14 10:07:22 +00:00
Dan Moschuk
9714563d83 Add tcpoptions to ipfw. This works much in the same way as ipoptions do.
It also squashes 99% of packet kiddie synflood orgies.  For example, to
rate syn packets without MSS,

ipfw pipe 10 config 56Kbit/s queue 10Packets
ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss

Submitted by:  Richard A. Steenbergen <ras@e-gerbil.net>
2000-06-08 15:34:51 +00:00
Luigi Rizzo
5d3fe434f8 Implement WF2Q+ in dummynet. 2000-06-08 09:45:23 +00:00
Jonathan Lemon
707d00a304 Add boundary checks against IP options.
Obtained from:	OpenBSD
2000-06-02 20:18:38 +00:00
Jonathan Lemon
59f577ad8c When attempting to transmit a packet, if the system fails to allocate
a mbuf, it may return without setting any timers.  If no more data is
scheduled to be transmitted (this was a FIN) the system will sit in
LAST_ACK state forever.

Thus, when mbuf allocation fails, set the retransmit timer if neither
the retransmit or persist timer is already pending.

Problem discovered by:  Mike Silbersack (silby@silby.com)
Pushed for a fix by:    Bosko Milekic <bmilekic@dsuper.net>
Reviewed by:            jayanth
2000-06-02 17:38:45 +00:00
Darren Reed
6de9811ef7 define CSUM_DELAY_DATA to match merge 2000-05-26 07:28:03 +00:00
Jake Burkholder
e39756439c Back out the previous change to the queue(3) interface.
It was not discussed and should probably not happen.

Requested by:		msmith and others
2000-05-26 02:09:24 +00:00
Darren Reed
f1beb78299 fix up #ifdef jungle for FreeBSD 2000-05-25 16:24:46 +00:00
Darren Reed
6774c05335 remove duplicate prototypes 2000-05-25 16:23:30 +00:00
Jonathan Lemon
50c6dc99d8 Mark the checksum as complete when looping back multicast packets.
Submitted by:	Jeff Gibbons <jgibbons@n2.net>
2000-05-25 02:27:14 +00:00
Archie Cobbs
06a429a3c8 Just need to pass the address family to if_simloop(), not the whole sockaddr. 2000-05-24 21:16:56 +00:00
Darren Reed
a4f66d8f4c fix duplicate rcsid's 2000-05-24 19:38:17 +00:00
Bruce Evans
582a77606f Fixed some style bugs (mainly convoluted logic for blackhole processing). 2000-05-24 12:57:52 +00:00
Peter Wemm
ebb6049b1f It would have been nice if this actually compiled. Close the header
comment */.
2000-05-24 09:08:55 +00:00
Darren Reed
6e067727a7 fix up conflicts 2000-05-24 04:40:17 +00:00
Darren Reed
255c925eef fix conflicts 2000-05-24 04:21:35 +00:00
Darren Reed
6dda709260 fix conflicts 2000-05-24 04:09:13 +00:00
Darren Reed
8982edd714 fix conflicts 2000-05-24 04:01:49 +00:00
Darren Reed
d2138b8dd4 fix conflicts 2000-05-24 04:01:30 +00:00
Darren Reed
329247db38 fix conflicts 2000-05-24 03:43:24 +00:00
Darren Reed
fe646be69a fix conflicts 2000-05-24 03:17:16 +00:00
Jake Burkholder
740a1973a6 Change the way that the queue(3) structures are declared; don't assume that
the type argument to *_HEAD and *_ENTRY is a struct.

Suggested by:	phk
Reviewed by:	phk
Approved by:	mdodd
2000-05-23 20:41:01 +00:00
Dan Moschuk
4f14ee00f2 sysctl'ize ICMP_BANDLIM and ICMP_BANDLIM_SUPPRESS_OUTPUT.
Suggested by: des/nbm
2000-05-22 16:12:28 +00:00
Dan Moschuk
fcdc02160f Add option ICMP_BANDLIM_SUPPRESS_OUTPUT to the mix. With this option,
badport_bandlim() will not muck up your console with printf() messages.
2000-05-22 15:00:41 +00:00
Jonathan Lemon
1c23847582 Compute the checksum before handing the packet off to IPFilter.
Tested by:  Cy Schubert <Cy.Schubert@uumail.gov.bc.ca>
2000-05-21 21:26:06 +00:00
Peter Wemm
ff079ca4b1 Return ECONNRESET instead of EINVAL if the connection has been shot
down as a result of a reset.  Returning EINVAL in that case makes no
sense at all and just confuses people as to what happened.  It could be
argued that we should save the original address somewhere so that
getsockname() etc can tell us what it used to be so we know where the
problem connection attempts are coming from.
2000-05-19 00:55:21 +00:00
Jayanth Vijayaraghavan
d841727499 snd_cwnd was updated twice in the tcp_newreno function. 2000-05-18 21:21:42 +00:00
Jayanth Vijayaraghavan
75c6e0e253 Sigh, fix a rookie patch merge error.
Also-missed-by:	peter
2000-05-17 06:55:00 +00:00
Jonathan Lemon
5d5d5fc0bf Cast sizeof() calls to be of type (int) when they appear in a signed
integer expression.  Otherwise the sizeof() call will force the expression
to be evaluated as unsigned, which is not the intended behavior.

Obtained from:  NetBSD   (in a different form)
2000-05-17 04:05:07 +00:00
Jayanth Vijayaraghavan
6b2a5f92ba snd_una was being updated incorrectly, this resulted in the newreno
code retransmitting data from the wrong offset.

As a footnote, the newreno code was partially derived from NetBSD
and Tom Henderson <tomh@cs.berkeley.edu>
2000-05-16 03:13:59 +00:00
Ruslan Ermilov
3a06e3e02c Do not call icmp_error() if ipfirewall(4) denied packet.
PR:		kern/10747, kern/18382
2000-05-15 18:41:01 +00:00
Archie Cobbs
2e2de7f23f Move code to handle BPF and bridging for incoming Ethernet packets out
of the individual drivers and into the common routine ether_input().
Also, remove the (incomplete) hack for matching ethernet headers
in the ip_fw code.

The good news: net result of 1016 lines removed, and this should make
bridging now work with *all* Ethernet drivers.

The bad news: it's nearly impossible to test every driver, especially
for bridging, and I was unable to get much testing help on the mailing
lists.

Reviewed by:	freebsd-net
2000-05-14 02:18:43 +00:00